Overview

overview

10

Static

static

3

427c26ece5...18.dll

windows7-x64

10

427c26ece5...18.dll

windows10-2004-x64

10

Resubmissions

14-05-2024 18:40

240514-xbmnbsbb69 10

14-05-2024 18:24

240514-w2jhxsae65 10

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 18:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll

  • Size

    5.0MB

  • MD5

    427c26ece5cc58787ae133d0c45b6cc8

  • SHA1

    20ef4eb221b550905e6b7c04a0ae9e80c25e4546

  • SHA256

    2dfd4a11135512683f97ec40fb26bdb121bd5b27644b7d925b7e17aa75bac407

  • SHA512

    84585c3e1ba8c64e6b6f5b4d690215aeb61d4d9adc08a34fefae962677d611abde4173fb8d3665e1b58789b76fed9bd25468264f6fc4000c8356e51944085857

  • SSDEEP

    49152:SnAQJGx+TSqTdX1HkQo6SAASxJM0H9PAMEcaEau3R8yAH1plAH:+DwxcSUDk36SA7xWa9P593R8yAVp2H

Score
10/10
wannacrydiscoveryransomwareworm

Malware Config

Signatures

  • Wannacry

    WannaCry is a ransomware cryptoworm.

    ransomwarewormwannacry
  • Contacts a large (3264) amount of remote hosts 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Executes dropped EXE 3 IoCs
  • Creates a large amount of network flows 1 TTPs

    This may indicate a network scan to discover remotely running services.

    discovery
  • Drops file in System32 directory 1 IoCs
  • Drops file in Windows directory 2 IoCs
  • Modifies data under HKEY_USERS 24 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll,#1
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:3044
    • C:\Windows\SysWOW64\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\427c26ece5cc58787ae133d0c45b6cc8_JaffaCakes118.dll,#1
      2⤵
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:2016
      • C:\WINDOWS\mssecsvc.exe
        C:\WINDOWS\mssecsvc.exe
        3⤵
        • Executes dropped EXE
        • Drops file in Windows directory
        PID:1932
        • C:\WINDOWS\tasksche.exe
          C:\WINDOWS\tasksche.exe /i
          4⤵
          • Executes dropped EXE
          PID:2732
  • C:\WINDOWS\mssecsvc.exe
    C:\WINDOWS\mssecsvc.exe -m security
    1⤵
    • Executes dropped EXE
    • Drops file in System32 directory
    • Modifies data under HKEY_USERS
    PID:2584

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\mssecsvc.exe
    Filesize

    3.6MB

    MD5

    7b43d71dbfb4dc8eba0e3e2a010c5a31

    SHA1

    ebaca15297aa0a266c5ebf7f22f08891dc83903d

    SHA256

    133c67eb527809b01c5977c560949ec03c3fb5b87c8ed4bcd38c580c8bfdbd10

    SHA512

    dbff1d2971ffd81f1a3635b8dd6cbbc0543c4f0215f620bbdff04bbf984bf512a9891e177c14f19e5294455b25b1ca8548d532bd47971fb5eb578603ecc91349

    Download Submit
  • C:\Windows\tasksche.exe
    Filesize

    3.4MB

    MD5

    aa7f6c30c24531e82018968e7aaf8138

    SHA1

    1d0723bcd706cbc0ba7b4111b4d18d549ad7a8f7

    SHA256

    dc3fe9a318d69f41e20f378fbd3368b8b7ce30cf1fa17f8d8318612acd24c80c

    SHA512

    2a267267bfa44f74cda7e5f58d1c994381b290ac9c0a46ea8276f60db042fb50f7ba32352478910493a4318b2e8436e9468627d2704921a1203079d3fffce0c1

    Download Submit